There's no denying that Pokémon Go, the Niantic-developed augmented reality mobile game, has been a breakthrough hit. However, for Apple iOS users signed up to the app with their Google account, a security nightmare has emerged as some players are finding the game is granting "full account access" without asking for prior permission.
The findings were first revealed by cybersecurity expert Adam Reeve, who slammed the situation as a "huge security risk" and revealed that, at the time of writing, iPhone and iPad users are affected. Despite facing its own security woes, the Android OS is not believed to be impacted.
As noted by the Google support page, any app that has "full account access" will give its developers the ability to "see and modify nearly all information in your Google account." This includes email inboxes, calendar entries, search histories alongside content in Google Drive and Google Photos.
"This 'full account access' privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet," Google warns.
What's worse, during multiple tests, conducted by ZDNet, show the Pokémon Go application does not ask for the permission for such access. Instead, it skips straight to the game's terms and conditions, which makes no reference to what access it demands.
According to Reeve, the Pokémon Go developers have "no need" for this information. "When a developer sets up the 'Sign in with Google' functionality they specify what level of access they want - best practices and simple logic dictate you ask for the minimum you actually need, which is usually just simple contact information," he wrote in a blog post on 11 July 2016.
"I obviously don't think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don't know anything about Niantic's security policies. I don't know how well they will guard this awesome new power they've granted themselves, and frankly I don't trust them at all."
In a statement to IBTimes UK, Niantic noted the issue was real however maintained the application only uses "basic" account data.
It said: "We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account.
"However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.
"Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."
[UPDATE: The Pokemon Go app corrected its permissions and is now totally safe to use]
In the meantime, you can check all the applications that Google is giving access to here. If Pokémon Go is being granted full access you can revoke the permission, however please note this may impact your in-game progress.
Pokémon Go was released earlier this month to rave reception. As previously reported, the app surged in popularity and has already been installed on more Android devices in the US than Tinder. While still lacking a solid release date for the UK, Europe and Japan, reports indicate the game is set for release in these regions "within a few days."
This article was updated to insert a statement from Niantic